7 Motivation KP-ABE, CP-ABE Definitions: directly related. Constructions: NO known relation. Can we generically convert an ABE to its dual? So that we would only construct KP, and get also CP. Might be difficult? Historically, CP [BSW07, Waters11] was harder to achieve than KP [GPSW06].

8 Related Work for Dual Conversion Converting KP-ABE for boolean formulae predicate Small classes of predicates Its dual CP: only for bounded-size formulae [GJPS08]. Converting KP-ABE for all boolean circuits Implies general predicates, but must start with ABE for circuits. Its dual CP: only for bounded-size circuits [GGHSW13]. Due to the use of universal circuits. Summary: less expressivity, and much less efficient.

38 More Results Dual-Policy ABE Conjunctively combine ABE and its dual [AI09]. We also provide a conversion from ABE to DP-ABE. More refinement: New specific CP-ABE with tighter reduction. Full version at

48 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Issue sk T if is not revoked on time T. Enc(mpk, T, M) Sender Receiver 8

49 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity Sender KGC Issue sk if is not revoked on time T. Problem: The overhead on KGC is Enc(mpk, T, M) linearly increased in the number of users (O(N-R)) 9 T Receiver

63 Revocable Hierarchical IBE (RHIBE) A low-level user can stay in the system only if her parent also stays in the current time period. subkey 1 First-level users have O(log N)-size KGC secret key (as in RIBE) skid 1 = subkey logn Second-level users have log N subkeys for each parent's subkey (in total (log N) 2 -size subkeys) skid 2 = subkey 1 *subkey 1 #RSAC subkey 1 *subkey logn One of subkeys will be used for computing kut. subkey logn *subley logn Trivial combination of RIBE and HIBE will result in an impractical scheme with an exponential number of secret keys 23

66 Our Contribution History-Free Update Low-level users do not need to know what ancestors did during key updates. Security Against Insiders An adversary is allowed to obtain state information Short Ciphertexts Constant-size ciphertext in terms of the level of hierarchy Two constructions: Shorter secret keys and ciphertexts Complete Subtree (CS) Subset Difference (SD) KGC #RSAC 26

67 Main Idea for History-Free Update R(H)IBE: KGC (or a parent user) issues a long-term secret key sk ID using msk (or sk parent-id ). KGC (or a parent user) broadcasts key update information ku T which is computed by msk (or sk parent-id ). A (child) user can generate the decryption key dk ID,T from sk ID and ku T if he/she is not revoked at time T. Two situations are equivalent: A user ID is not revoked at time T The user can generate the decryption key dk ID,T Re-define the key update algorithm #RSAC 27

68 Main Idea for History-Free Update Previous syntax #RSAC Our modification No parent secret key is required (for history-free approach) State information takes a role of the delegation key dk is used instead of sk and ku 28

69 Main Idea for History-Free Update Previous syntax #RSAC Our modification The secret key is used only for generating the decryption key dk. No parent secret key is required (for history-free approach) State information takes a role of the delegation key Low-level users do not need to know what ancestors did during key updates. dk is used instead of sk and ku 29

75 Proposed RHIBE Scheme (SD) #RSAC The main part is the same as that of the LLP RIBE scheme. K. Lee, D. H. Lee, and J. H. Park. Efficient revocable identity-based encryption via subset difference methods, eprint.iacr.org/2014/132, One difference is: we introduce the false master key for historyfree construction so that sk does not contain the master key α See the paper for details 35

76 Comparison #RSAC 36

77 Comparison #RSAC DBDH q-weak Bilinear Diffie-Hellman Inversion 37

78 Conclusion and Future work #RSAC RHIBE: History-free update, insider security, short ciphertext, and DKER The reduction to the underlying HIBE requires the challenge identity for the security proof. Adaptive-ID secure RHIBE under a static assumption with these desirable properties 38

A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identity-based Encryption

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud Storage Abstract: Cloud computing is one of the emerge technologies. To protect the data and privacy of users the access

Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity

Anonymity and Time in Public-Key Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics

The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

Data Sharing on Untrusted Storage with Attribute-Based Encryption by Shucheng Yu A Dissertation Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

Privacy, Discovery, and Authentication for the Internet of Things David Wu Joint work with Ankur Taly, Asim Shankar, and Dan Boneh The Internet of Things (IoT) Lots of smart devices, but only useful if

Yufei Tao Department of Computer Science and Engineering Chinese University of Hong Kong In this lecture, we will discuss the RSA cryptosystem, which is widely adopted as a way to encrypt a message, or